Re: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 28, 2010 at 01:56:13PM +0200, imsand@xxxxxxxxx wrote:
> > On 28/09/10 08:24, imsand@xxxxxxxxx wrote:
> >> Hello
> >>
> >> I get the following error when I try to log in through ssh (even if
> >> selinux is in permissive mode!!!):
> >>
> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: Accepted
> >> keyboard-interactive/pam for mat from 131.102.233.127 port 58912 ssh2
> >> Sep 28 09:01:32 stvlx05.test.admin.ch kernel: [60557.252750] type=1400
> >> audit(1285657292.298:286): avc:  denied  { audit_control } for
> >> pid=12614
> >> comm="sshd" capability=30  scontext=system_u:system_r:sysadm_t
> >> tcontext=system_u:system_r:sysadm_t tclass=capability
> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12621]: error:
> >> ssh_selinux_getctxbyname: Failed to get default SELinux security context
> >> for mat
> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
> >> ssh_selinux_getctxbyname: Failed to get default SELinux security context
> >> for mat
> >> Sep 28 09:01:32 stvlx05.test.ch sshd[12614]: error:
> >> ssh_selinux_setup_pty:
> >> security_compute_relabel: Invalid argument
> >>
> >> I already went through this post:
> >> http://www.nsa.gov/research/selinux/list-archive/0910/30906.shtml but I
> >> can't figure out the exact problem.
> >>
> >> Here is what I've done so far:
> >> - Downloaded the latest reference policy from tresys:
> >> http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2
> >> - Compiled and installed it on my sles 11.1
> >> - set selinux into permissive mode: (so far so good.. :))
> >> sestatus
> >> SELinux status:                 enabled
> >> SELinuxfs mount:                /selinux
> >> Current mode:                   permissive
> >> Mode from config file:          permissive
> >> Policy version:                 24
> >> Policy from config file:        refpolicy
> >> - Add selinux user "mat_u": semanage user -R "staff_r system_r" -P user
> >> -a
> >> mat_u
> >> - Add linux user " mat": useradd mat
> >> - Set password for "mat": passwd mat
> >> - User mapping: semanage login -s mat_u -a mat
> >> - add security context for "mat_u" by copying staff_u's context (don't
> >> know if that's needed??!): cp
> >> /etc/selinux/refpolicy/contexts/user/staff_u
> >> /etc/selinux/refpolicy/contexts/user/mat_u
> >> - set boolean for sysadm ssh login to true (don't know if thats
> >> needed?!):
> >> setsebool ssh_sysadm_login on
> >>
> >> In other posts I've read something about sepermit.conf and
> >> namespace.conf
> >> but these files don't exist on my system. What about these files? Do I
> >> need them?
> >> What's wrong on my system?
> >> Why it's not possible to login even if selinux is in permissive mode?
> >> Any suggestions?
> >
> > I'd start by trying to figure out why sshd isn't running in sshd_t (it
> > seems to be running in sysadm_t).
> >
> > Paul.
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> 
> Yes, sshd is running in sysadm_t:
> 
> # ps axZ | grep sshd
> system_u:system_r:sysadm_t       3632 ?        Ss     0:00 /usr/sbin/sshd
> -o PidFile=/var/run/sshd.init.pi
> 
> # ls -Z /usr/sbin/sshd
> system_u:object_r:sshd_exec_t /usr/sbin/sshd
> 
> Don't know why it's not sshd_t. I didn't modified something. It's a
> standard installation of sles11 with the default reference policy from
> tresys.
> 
> Maybe this code snippet from policy/modules/services/ssh.te is responsible
> for that:
> ## <desc>
> ## <p>
> ## Allow ssh logins as sysadm_r:sysadm_t
> ## </p>
> ## </desc>
> gen_tunable(ssh_sysadm_login, true)
> 
> Any ideas?

Do you have boolean init_upstart set to on? if not try setting it to on.
I do not believe ssh_sysadm_login boolean works currently but i may be mistaken.
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: pgpxtIOIlcAjg.pgp
Description: PGP signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux